Versions Compared

Old Version 13

changes.mady.by.user Mont Rothstein

Saved on

compared with

New Version 14

changes.mady.by.user Mont Rothstein

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Get a certificate from Let's Encrypt using win-acme.  Win-acme is a free program that uses Let's Encrypt to generate a certificate that expires every 90 days, configures IIS with the certificate and automatically renews the certificate.

Download and Prepare win-acme

  1. Download win-acme

  2. Extra the zip

  3. From the win-acme extracted directory open settings_default.json in your favorite text editor

  4. Find PrivateKeyExportable and change the value from false to true

  5. Copy the contents of the extracted directory to a permanent location such as C:\Program Files\win-acme

Create the Certificate

  1. Run wacs.exe with admin privileges from the permanent location

  2. M - Create certificate (full options)

  3. 2 - Manual input

  4. Enter the server’s public FQDN (ex: myserver.myorg.com)

  5. Friendly name: Enter the server’s public FQDN (ex: myserver.myorg.com) The default name has “[Manual]” which will cause issues.

  6. 4 - Single certificate

  7. 2 - [http] Serve verification files from memory

  8. 2 - RSA

  9. 4 - Windows Certificate Store (Local Computer)

  10. 2 - [My] - General computer store (for Exchange/RDS)

  11. 5 - No (additional) store steps

  12. 1 - Create or update bindings in IIS

  13. 1 - Default Web Site

  14. 3 - No (additional) installation steps

  15. N - Open in default application

  16. Y - Do you agree with the terms

  17. Enter an email address for notifications about problems and abuse

  18. N - Do you want to specify the user the task will run as

  19. Q - QuitEdit C:\Program Files\win-acme\settings.json

  20. Change PrivateKeyExportable from false to true

  21. Save

  22. Run wacs.exe with admin privileges from the permanent location

  23. A - Manage renewals

  24. S - Run the renewal (force) This forces the certificate to be re-created with an exportable key

  25. Q - Quit

At this point, the certificate should be in the server's certificate store and an IIS binding for port 443 using the certificate and the host name should have been created. The certificate will be setup to auto renew every 30 days.

...

Tip

Try to access the website using HTTPS. It should succeed and there should be a lock icon.

Force Renewal - Optional

If you need to force a renewal, such as if settings.json has been changed.

  1. Run wacs.exe with admin privileges from the permanent location

  2. A - Manage renewals

  3. S - Run the renewal (force) This forces the certificate to be re-created with an exportable key

  4. Q - Quit

  5. Q - Quit